Skip to main content

RST Cloud - Threat Feed API

This Integration is part of the RST Threat Feed Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

This is the RST Threat Feed integration for interacting with API This integration was integrated and tested with RST Cloud - Threat Feed API v1

Please contact the RST Cloud team via email support@rstcloud.net to obtain a key and ask any questions you have. Also, the following contact details can be used:

Each indicator is ranked from 0 to 100. Indicators are being collected from multiple sources and are cross-verified using multiple criteria. Please check indicator tags and malware family fields. An indicator may describe a known malware or a scanning host. Therefore, different actions may be required based on the context.

Configure RST Cloud - Threat Feed API on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for RST Cloud - Threat Feed API.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    Server URL (e.g. https://api.rstcloud.net/v1)True
    API KeyTrue
    Score threshold for IP reputation commandSet this to determine the RST Threat Feed score that will determine if an IP is malicious (0-100)True
    Score threshold for domain reputation commandSet this to determine the RST Threat Feed score that will determine if a domain is malicious (0-100)True
    Score threshold for url reputation commandSet this to determine the RST Threat Feed score that will determine if a url is malicious (0-100)True
    Score threshold for file reputation commandSet this to determine the RST Threat Feed score that will determine if a file is malicious (0-100)True
    IP Indicator Expiration (days)Mark IP indicators older than indicator_expiration_ip value in days as Suspicious ignoring the last available scoreTrue
    Domain Indicator Expiration (days)Mark domain indicators older than indicator_expiration_domain value in days as Suspicious ignoring the last available scoreTrue
    URL Indicator Expiration (days)Mark URL indicators older than indicator_expiration_url value in days as Suspicious ignoring the last available scoreTrue
    Hash Indicator Expiration (days)Mark Hash indicators older than indicator_expiration_url value in days as Suspicious ignoring the last available scoreTrue
    Use system proxy settingsFalse
    Trust any certificate (not secure)False
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

ip#


Returns IP information and reputation.

Base Command#

ip

Input#

Argument NameDescriptionRequired
ipList of IPs.Required
thresholdIf the IP has reputation above the threshold then the IP defined as malicious. If threshold not set, then threshold from instance configuration is used. Default is 45.Optional

Context Output#

PathTypeDescription
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
IP.AddressStringIP address.
IP.Geo.CountryStringCountry of origin.
IP.TagsStringThe associated tags.
IP.Malicious.VendorStringThe vendor reporting the IP address as malicious.
IP.Malicious.DescriptionStringA description explaining why the IP address was reported as malicious.
IP.Malicious.ScoreStringThe score calculated for the indicator by the vendor.
RST.IP.AddressStringThe actual IP address.
RST.IP.Geo.CountryStringThe country name.
RST.IP.Geo.RegionStringThe geo region name.
RST.IP.Geo.CityStringThe city name.
RST.IP.ASNStringThe autonomous system name for the IP address.
RST.IP.OrganizationStringThe organisation name for the autonomous system name for the IP address.
RST.IP.ISPStringThe Internet Service Provider name for the autonomous system name for the IP address.
RST.IP.CloudHostingStringThe Cloud Provider name for the IP address.
RST.IP.NumberOfDomainInASNStringThe number of domain names for the IP address.
RST.IP.FirstSeenDateFirst Seen.
RST.IP.LastSeenDateLast Seen.
RST.IP.TagsStringThe associated tags.
RST.IP.ThreatStringThe associated Malware Family or threat name.
RST.IP.ScoreNumberThe total score.
RST.IP.UUIDStringThe unique ID for the indicator.
RST.IP.RSTReferenceStringThe link to the raw JSON indicator.
RST.IP.RelatedStringThe associated domains.
RST.IP.FalsePositiveStringtrue if it is likely a False Positive.
RST.IP.FalsePositiveDescStringDescription why we think it may be a False Positive.
RST.IP.CVEStringRelated CVE (vulnerabilities)
RST.IP.IndustryStringRelated Industry.
RST.IP.ReportStringCollected from.

Command Example#

!ip ip=1.2.3.4 threshold=50

Context Example#

{
"DBotScore": {
"Indicator": "1.2.3.4",
"Score": 2,
"Type": "ip",
"Vendor": "RST Cloud"
},
"IP": {
"ASN": "4788",
"Address": "1.2.3.4",
"Geo": {
"Country": "Malaysia"
},
"Tags": [
"c2",
"generic"
]
},
"RST": {
"IP": {
"ASN": "4788",
"Address": "1.2.3.4",
"CloudHosting": "",
"FalsePositive": "false",
"FalsePositiveDesc": "",
"FirstSeen": "2019-12-05T00:00:00.000Z",
"Geo": {
"city": "Batang Kali",
"country": "Malaysia",
"region": "Selangor"
},
"ISP": "TMNETASAP",
"LastSeen": "2021-01-26T00:00:00.000Z",
"NumberOfDomainInASN": "9615",
"Organization": "TM Net Internet Service Provider",
"RSTReference": "https://rstcloud.net/uuid?id=8f10a17d-9931-3329-b97f-db3953c093e2",
"Related": [],
"Score": "3",
"Tags": [
"c2",
"generic"
],
"Threat": [
"emotet"
],
"Type": "IP",
"UUID": "8f10a17d-9931-3329-b97f-db3953c093e2"
}
}
}

Human Readable Output#

RST Threat Feed IP Reputation for: 1.2.3.4#

DescriptionLast SeenRelevanceScoreTagsThreat
Ioc with tags: c2, generic. related threats: emotet
2021-01-26Suspicious3c2, genericemotet

domain#


Returns Domain information and reputation.

Base Command#

domain

Input#

Argument NameDescriptionRequired
domainList of Domains.Required
thresholdIf the domain has reputation above the threshold then the domain defined as malicious. If threshold not set, then threshold from instance configuration is used. Default is 45.Optional

Context Output#

PathTypeDescription
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
Domain.NameStringThe domain name.
Domain.TagsStringThe associated tags
Domain.Malicious.VendorStringThe vendor reporting the domain as malicious.
Domain.Malicious.DescriptionStringA description explaining why the domain was reported as malicious.
Domain.Malicious.ScoreStringThe score calculated for the indicator by the vendor.
RST.Domain.NameStringThe domain name.
RST.Domain.WhoisAgeNumberDays since creation.
RST.Domain.WhoisDomainCreationDateDateCreation date. Format is ISO8601.
RST.Domain.WhoisDomainUpdateDateDateUpdate date. Format is ISO8601.
RST.Domain.WhoisDomainExpireDateDateExpiration date. Format is ISO8601.
RST.Domain.WhoisRegistrarStringDomain Registrar.
RST.Domain.WhoisRegistrantStringDomain Registrant.
RST.Domain.FirstSeenDateFirst Seen.
RST.Domain.LastSeenDateLast Seen.
RST.Domain.TagsStringThe associated tags.
RST.Domain.ThreatStringThe associated Malware Family or threat name.
RST.Domain.ScoreNumberThe total score.
RST.Domain.UUIDStringThe unique ID for the indicator.
RST.Domain.RSTReferenceStringThe link to the raw JSON indicator.
RST.Domain.RelatedStringThe associated IP addresses.
RST.Domain.FalsePositiveStringtrue if it is likely a False Positive.
RST.Domain.FalsePositiveDescStringDescription why we think it may be a False Positive.
RST.Domain.CVEStringRelated CVE (vulnerabilities)
RST.Domain.IndustryStringRelated Industry.
RST.Domain.ReportStringCollected from.

Command Example#

!domain domain="domaintovalidate.local" threshold=40

Context Example#

{
"DBotScore": {
"Indicator": "domaintovalidate.local",
"Score": 2,
"Type": "domain",
"Vendor": "RST Cloud"
},
"Domain": {
"Name": "domaintovalidate.local",
"Tags": [
"malware"
]
},
"RST": {
"Domain": {
"FalsePositive": "true",
"FalsePositiveDesc": "Domain not resolved. Whois records not found",
"FirstSeen": "2020-06-26T00:00:00.000Z",
"LastSeen": "2021-01-25T00:00:00.000Z",
"Name": "domaintovalidate.local",
"RSTReference": "https://rstcloud.net/uuid?id=552fdbe7-7265-3a9d-b364-83426d1c2dbc",
"Related": {
"a": [],
"alias": [],
"cname": []
},
"Score": "10",
"Tags": [
"malware"
],
"Threat": [],
"Type": "Domain",
"UUID": "552fdbe7-7265-3a9d-b364-83426d1c2dbc",
"WhoisAge": "",
"WhoisDomainCreationDate": "",
"WhoisDomainExpireDate": "",
"WhoisDomainUpdateDate": "",
"WhoisRegistrant": "",
"WhoisRegistrar": ""
}
}
}

Human Readable Output#

RST Threat Feed Domain Reputation for: domaintovalidate.local#

DescriptionLast SeenRelevance:ScoreTags
Ioc with tags: malware
2021-01-25Suspicious10malware

url#


Returns URL information and reputation.

Base Command#

url

Input#

Argument NameDescriptionRequired
urlList of URLs.Required
thresholdIf the URL has reputation above the threshold then the URL defined as malicious. If threshold not set, then threshold from instance configuration is used. Default is 30.Optional

Context Output#

PathTypeDescription
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
URL.DataStringThe URL.
URL.TagsStringThe associated tags.
URL.Malicious.VendorStringThe vendor reporting the URL as malicious.
URL.Malicious.DescriptionStringA description explaining why the URL was reported as malicious.
URL.Malicious.ScoreStringThe score calculated for the URL indicator by the vendor.
RST.URL.DataStringThe URL.
RST.URL.StatusStringLast HTTP status code.
RST.URL.FirstSeenDateFirst Seen.
RST.URL.LastSeenDateLast Seen.
RST.URL.TagsStringThe associated tags.
RST.URL.ThreatStringThe associated Malware Family or threat name.
RST.URL.ScoreNumberThe total score.
RST.URL.UUIDStringThe unique ID for the indicator
RST.URL.DescriptionStringThe associated Description provided by the vendor.
RST.URL.FalsePositiveStringtrue if it is likely a False Positive.
RST.URL.FalsePositiveDescStringDescription why we think it may be a False Positive.
RST.URL.ParsedStringParsed URL components.
RST.URL.CVEStringRelated CVE (vulnerabilities)
RST.URL.IndustryStringRelated Industry.
RST.URL.ReportStringCollected from.

Command Example#

!url url="https://domain.local/testurl" threshold=30

Context Example#

{
"DBotScore": {
"Indicator": "https://domain.local/testurl",
"Score": 2,
"Type": "url",
"Vendor": "RST Cloud"
},
"RST": {
"URL": {
"CVE": [],
"Data": "https://domain.local/testurl",
"FalsePositive": "true",
"FalsePositiveDesc": "Resource unavailable",
"FirstSeen": "2021-01-05T00:00:00.000Z",
"LastSeen": "2021-01-26T00:00:00.000Z",
"Parsed": {
"anchor": null,
"domain": "domain.local",
"params": null,
"path": "/testurl",
"port": "443",
"schema": "https"
},
"RSTReference": "https://rstcloud.net/uuid?id=f64f7a99-068b-3fec-b572-598f9d11d4d6",
"Score": "14",
"Status": "503",
"Tags": [
"malware"
],
"Threat": [
"emotet"
],
"Type": "URL",
"UUID": "f64f7a99-068b-3fec-b572-598f9d11d4d6"
}
},
"URL": {
"Data": "https://domain.local/testurl",
"Tags": [
"malware"
]
}
}

Human Readable Output#

RST Threat Feed URL Reputation for: https://domain.local/testurl#

DescriptionLast SeenRelevanceScoreTagsThreat
Ioc with tags: malware. related threats: emotet
2021-01-26Suspicious14malwareemotet

file#


Returns File information and reputation.

Base Command#

file

Input#

Argument NameDescriptionRequired
fileList of Files.Required
thresholdIf the File has reputation above the threshold then the File defined as malicious. If threshold not set, then threshold from instance configuration is used. Default is 5.Optional

Context Output#

PathTypeDescription
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
File.NameStringThe file name.
File.MD5StringMD5 for the the file name.
File.SHA1StringSHA1 for the the file name.
File.SHA256StringThe URL.
File.TagsStringThe associated tags.
File.Malicious.VendorStringThe vendor reporting the File as malicious.
File.Malicious.DescriptionStringA description explaining why the File was reported as malicious.
File.Malicious.ScoreStringThe score calculated for the File indicator by the vendor.
RST.File.NameStringThe file name.
RST.File.MD5StringMD5 for the the file name.
RST.File.SHA1StringSHA1 for the the file name.
RST.File.SHA256StringSHA256 for the the file name.
RST.File.FirstSeenDateFirst Seen.
RST.File.LastSeenDateLast Seen.
RST.File.TagsStringThe associated tags.
RST.File.ThreatStringThe associated Malware Family or threat name.
RST.File.ScoreNumberThe total score.
RST.File.UUIDStringThe unique ID for the indicator.
RST.File.DescriptionStringThe associated Description provided by the vendor.
RST.File.FalsePositiveStringtrue if it is likely a False Positive.
RST.File.FalsePositiveDescStringDescription why we think it may be a False Positive.
RST.File.CVEStringRelated CVE (vulnerabilities)
RST.File.IndustryStringRelated Industry.
RST.File.ReportStringCollected from.

Command Example#

!file file="fe3d38316dc38a4ec63eac80e34cb157c9d896460f9b7b3bfbd2cec4e2cb8cdc"threshold=5

Context Example#

{
"DBotScore": {
"Indicator": "fe3d38316dc38a4ec63eac80e34cb157c9d896460f9b7b3bfbd2cec4e2cb8cdc",
"Score": 3,
"Type": "file",
"Vendor": "RST Cloud"
},
"RST": {
"File": {
"CVE": [],
"FalsePositive": "false",
"FalsePositiveDesc": "",
"FirstSeen": "2021-05-11T00:00:00.000Z",
"Industry": [],
"LastSeen": "2022-03-11T00:00:00.000Z",
"Name": [],
"RSTReference": "https://rstcloud.net/uuid?id=c86948e7-eb72-3fe1-96e9-429e885cea3b",
"Report": [
"https://www.threatfabric.com/blogs/partners-in-crime-medusa-cabassous.html"
],
"SHA256": "fe3d38316dc38a4ec63eac80e34cb157c9d896460f9b7b3bfbd2cec4e2cb8cdc",
"Score": "6",
"Tags": [
"malware"
],
"Threat": [
"medusa",
"flubot"
],
"Type": "File",
"UUID": "c86948e7-eb72-3fe1-96e9-429e885cea3b"
}
},
"File": {
"SHA256": "fe3d38316dc38a4ec63eac80e34cb157c9d896460f9b7b3bfbd2cec4e2cb8cdc",
"Tags": [
"malware"
]
}
}

Human Readable Output#

RST Threat Feed File Reputation for: https://domain.local/testurl#

DescriptionLast SeenRelevanceScoreTagsThreat
Ioc with tags: malware. related threats: emotet
2021-01-26Suspicious14malwareemotet

rst-submit-new#


Submits an indicator to RST Threat Feed.

Base Command#

rst-submit-new

Input#

Argument NameDescriptionRequired
iocList of IOCs (URLs, domains or IPs).Required
descriptionAny context to pass to RST Cloud.Optional

Context Output#

There is no context output for this command.

Command Example#

!rst-submit-new ioc="thisisamaliciouswebsite.com" description="a user downloaded a trojan"

Human Readable Output#

Indicator: thisisamaliciouswebsite.com was submitted as a potential threat indicator to RST Cloud

rst-submit-fp#


Submits a potential False Positive to RST Threat Feed.

Base Command#

rst-submit-fp

Input#

Argument NameDescriptionRequired
iocList of IOCs (URLs, domains or IPs).Required
descriptionAny context to pass to RST Cloud.Optional

Context Output#

There is no context output for this command.

Command Example#

!rst-submit-fp ioc="thisisnotamaliciousdomain.com" description="a decent website"

Human Readable Output#

Indicator: thisisnotamaliciousdomain.com was submitted as False Positive to RST Cloud